The Biggest Cause of Data Breaches?

AI Regulation, Threat Actor Breakdown & Career Advice

September 12, 2023

Good morning!

In today’s line up:

  • The importance of Third Party Security

  • The EU release first of its kind AI regulation

  • Okta Warns of Social Engineering Attacks

  • Threat Actor Breakdown – Tools, Tactics and Techniques

  • Join a free Security Training Community

  • PLUS, a win-win-win job hunting tip!

The Importance of Third Party Security

More than 50% of organisations in 2022 experienced a data breach originating from third parties.

This has made Third Party Security one of the most in-demand areas to work. It just so happens to be one of the best for learning and development.

What is Third-Party Security?

  • It’s a set of best practices, services and tools that identify and protect your organisation from risks originating from third parties such as vendors, partners, contractors, consultants and applications – and their third parties as well (4th parties).

Growing attack surface:

  • Third parties are an expansion of your attack surface. This means that organisations need a robust Third Party Risk Management Program to monitor and manage risks associated with their third parties.

Responsibilities:

  • Organisations perform security assessments on these third parties, varying in detail depending on how critical their services are to their operations.

  • They’re seeking to understand their security posture and make a decision on whether to do business with them (or continue doing business).

  • Also, it goes both ways! You’ll likely have to respond to other organisation’s security assessments if you are providing them with services.

How it works:

  • Third party security teams typically create questionnaires based on industry frameworks (NIST, ISO etc.)

  • They are used to assess third parties against them periodically. If they find anything isn’t up to mark, they request remediation or they’ll take their business elsewhere.

Interestingly, there is a power dynamic.

  • For example, AWS isn’t filling in anyone’s questionnaire… they’ve got hundreds of thousands of organisations using their service, and they are so big, they call the shots.

  • Their audit reports are publicly available - take it or leave it.

The challenge:

  • Co-operation between organisations is a tricky thing, because these processes can take up lots of time and are tedious. To be successful, strong interpersonal skills are required to win over the third party and gather the data you need to form your assessment.

Why you should consider it as a career:

  • Your knowledge of security controls will be elite.

  • You’ll build incredible great interpersonal skills

  • You get to see how security operates across dozens of organisations!

  • You’ll get massive insight in a small window of time (more insights = more opportunities in future).

The EU Releases AI Regulation

The European Union has dropped a first of its kind regulation - an Artificial Intelligence Act.

The Act classifies AI into 4 categories with proportionate requirements:

  1. Unacceptable: Banned (E.g. Social scoring based in behaviour)

  2. High: Pre-launch approval required (E.g. Educational or law enforcement use)

  3. Generative: Advertise AI-made content and publish summarised training data (E.g. ChatGPT)

  4. Limited: Make users aware and decide whether or not they'd like to use - like cookies (E.g. Deepfake generation)

How do you think these rules will be used to prevent malicious actors from ignoring the rules?

Read more here.

Okta Warns of Social Engineering Attacks

  • Okta recently warned of social engineering attacks orchestrated by threat actors to gain access to highly privileged accounts.

  • The attackers used a phishing kit called 0ktapus and were possibly linked to Muddled Libra and Scattered Spider.

  • Okta suggested customers strengthen authentication processes and limit the use of Super Administrator roles as countermeasures.

More here.

DuckTail Threat Actor Tactics, Techniques and Procedures

Zscaler ThreatLabz has provided an in-depth look into the tactics, techniques, and procedures of the DuckTail threat actors. Their work granted them unprecedented visibility into DuckTail’s end-to-end operations, spanning the entire kill chain from reconnaissance to post-compromise.

Key Takeaways:

  1. Ideal Social Engineering Target: DuckTail threat actors primarily target users working in the digital marketing and advertising space. Unfortunately, the tech layoffs occurring in 2022 and 2023 introduced more eager candidates into the digital market - meaning more prime targets for DuckTail.

  2. Raiding Business and Ad Accounts: DuckTail targets Facebook and TikTok business accounts, and Google ad accounts. Stolen social media business accounts feed an underground economy where these accounts are traded among other users in Vietnamese Telegram groups.

  3. Social Engineering as the Distribution Method: DuckTail’s primary distribution vector continues to be social engineering through LinkedIn messaging. Threat actors set up fake LinkedIn recruiter profiles and fake job postings impersonating popular companies to lure unsuspecting victims looking for employment.

  4. Expanding and Always Evolving: DuckTail continues to expand the list of cloud services abused for hosting and distributing payloads.

  5. Exploiting Themes of Innovative AI Online Tools: DuckTail threat actors have successfully weaponized the recent popularity of generative AI platforms, such as ChatGPT and Google Bard AI, to lure victims to install malicious software.

  6. Stealthy and Strategic Maneuvers: DuckTail threat actors use private residential proxy services to log in to compromised social media business accounts to prevent raising any security alarms. In addition, they abuse the "Encrypted notifications" Facebook feature to prevent the victim from performing an account recovery.

Detailed breakdown here.

Free Professional Cyber Security Community

Are you looking for professional communities to broaden your network and accelerate your learning?

  • The SANS Cyber Security Training Community might be a good fit.

  • SANS is the world's largest provider of cyber security training.

  • Membership in the SANS.org community grants you access to our FREE cutting edge online cyber security training tools and resources.

  • You can connect with the best and brightest in the cyber security training community and be prepared when you're ready to take your interests and skills to the next level!

You can explore here.

A Win-Win-Win Job Hunting Tip

If you’re on LinkedIn and your profile is optimised, chances are you’ll have recruiters in your inbox.

In the future there will be many job opportunities that aren’t suitable for you, but rather than ignore the recruiter or simply declining, think about someone in your network who may be a good fit!

By referring one of your friends you’ll help the recruiter, so they'll consider you for more opportunities in future. You’ll also help your friend land an awesome job and in future, they may return the favour!

Win-win-win.

Wisdom

“Learn to write well. Success in so many jobs depend on it."

Unknown

The best cyber security professionals have strong writing skills.

It’s needed to communicate with a range of stakeholders, translate technical details into digestible and understandable language, justify why things should be done a certain way, and win people over.

Writing is just like any other skill, it requires practice.

Think about who you’re writing for, the structure you use, the language, the outcome you want to achieve and whether you want someone to take an action based on your comments.

Start today.